Hav­ing a Linux sys­tem auto­mat­ic­ally log in to a graph­ical pro­gram on boot is sur­pris­ingly dif­fi­cult. Com­mon solu­tions involve set­ting up a dis­play man­ager with cus­tom con­fig­ur­a­tion and it gets messier from there. For­tu­nately there is a bet­ter way, xlo­gin uses sys­temd to launch X for a given user.

The developer describes it as a stop-gap work­around but after four years it is still a lead­ing solu­tion. xlo­gin con­sists of two sys­temd ser­vices, a launch­ing wrap­per script, and a xinitrc con­fig tweak. If it is a hack it is a very eleg­ant one, the four files together come to just forty lines (31 if you remove com­ments and whitespace).

Unfor­tu­nately it’s not pack­aged for Debian, while shov­el­ling some files on to the disk works as a short term meas­ure in the long run I really need it to be pack­aged, it greatly helps the image gen­er­a­tion and allows long term main­ten­ance. So I pre­pared a quick ugly pack­age. It cur­rently has some issues that like bad source pack­age gen­er­a­tion don’t impact me but need to be fixed, I’ll clean it up and look and sub­mit­ting it in a few weeks.

Pack­age Managing

To feed the pack­ages in to multistrap requires a Debian repos­it­ory. Fun­da­ment­ally this is a http or ftp dir­ect­ory tree with a few spe­cially format­ted files. There are a pleth­ora of tools to assist cre­at­ing this but as is com­mon when there are lots of tools doing the same job, none of them stand out as been con­sid­er­ably bet­ter than the oth­ers. I chose to use reprepro, it isn’t easy to set up but blindly fol­low­ing online guides worked for me.

Keyring Man­aging

Debian signs all of it’s pack­ages as a basic assur­ance meas­ure. The Debian tools take some con­vin­cing to run unsigned pack­ages so it is easier when build­ing your own pack­ages to sign them too.

Sign­ing is the easy half. You gen­er­ate a gpg key, feed it to reprepro and it signs all the pack­ages it delivers.

Where things get a bit more com­plex is get­ting the pub­lic key in to the cli­ent com­puter so that it can verify the key. The quick solu­tion is to push the key in to apt-key when gen­er­at­ing the image. This works but is dif­fi­cult to maintain.

The more com­plete solu­tion, which Debian uses for it’s own pack­ages, is to cre­ate a keyring con­tain­ing all the valid keys. This keyring is then pack­aged and dis­trib­uted through the pack­age man­age­ment sys­tem. Struc­tur­ing it this ways allows keys to be added or revoked as required by push­ing a pack­age update. Doub­ling down the com­plex­ity, man­aging the keyring pack­age is a cluster of pro­grams called jet­ring which provide tracab­il­ity of changes.

I built my own keyring pack­age, lodlabs-keyring based on debian-archive-keyring which I dis­trib­ute through my devel­op­ment pack­age man­ager. With this setup I can feed multistrap cus­tom pack­ages at will.

A quick note, using this tech­nique multistrap must be able to acquire the keyring pack­age itself. So the image gen­er­at­ing machine must tie apt in to the private repos­it­ory and have the keyring installed.

Cre­at­ing your own keyring package

For a very small simple pack­age cre­at­ing your own keyring is a bit of work.

For starters, you need the basics:

apt-get build-depends debian-archive-keyring
apt-get source debian-archive-keyring

The debian-archive-keyring has a few directories:

  • keyrings:
    This con­tains the gen­er­ated keyrings, the end products. They are cre­ated by the Makefile.
  • active-keys, removed-keys, team-members:
    Each of these dir­ect­or­ies con­tains a col­lec­tion of keys.
    The keys are of a cus­tom file format, gen­er­ated by jet­ring from a gpg key.
    Instruc­tions for cre­at­ing a key are in README.maintainer.
    There is also an index file with a check­sum for each key, this can be gen­er­ated by jetring-accept.
    Finally there is an index.gpg file which signs the index, this can be gen­er­ated by jetring-signindex.

    • active-keys:
      This keyring is used to verify the archive pack­ages and is dis­trib­uted in the gen­er­ated package.
    • removed-keys:
      This keyring is used to revoke pre­vi­ous act­ive keys and is dis­trib­uted in the gen­er­ated package.
    • team-members:
      This keyring is used by the pack­age gen­er­a­tion to verify the act­ive and removed keyrings. It is not dis­trib­uted out­side the package.

To pro­ceed you are going to need two gpg keys, you con prob­ably use the same key twice but it wouldn’t be advis­able. I gen­er­ated two dif­fer­ent sub­keys fol­low­ing the instruc­tions here. The act­ive sub­key is the one used to set up reprepro and sign your pack­ages. The team sub­key is your per­sonal sign­ing key.

Push the per­sonal key into the team key­chain, then the reprepro key into the act­ive key­chain by fol­low­ing the instruc­tions in debian-archive-keyring’s README.maintainer.

Once your keys are in the pack­aging key dir­ect­or­ies, delete all the other keys in active-keys and team-members. Edit the index files so that only your key entry remains. Then resign the index by run­ning jetring-signindex over each folder.

You can also delete all the keys in removed-keys, cre­ate an empty index file and sign it with jetring-signindex.

Now if you run ‘make‘ it should gen­er­ate new keyring files only con­tain­ing your keys.

To com­plete the pack­age it will need to be renamed. Edit all the debian files, chan­ging every instance of debian-archive-keyring to your-keyring. The changelog, copy­right and con­trol files will all need to have por­tions par­tially rewrit­ten. The debian-archive-keyring script files in the debian folder will need to be renamed and the debian-archive-keyring instances in the Make­file will all need to be changed.

The gen­er­ated keyring files must be signed, run
gpg --armor --detach-sign keyrings/your-removed-keys.gpg

Finally invok­ing ‘debuild –b –uc –us‘ should spit out your-keyring_<year>.<month>_all.deb.